Design 17: Multi-Tier Architecture (N-Tier)

Summary

This design implements the classic 3-Tier Architecture (Web, App, Data).

Topology Update: This design is deployed as a Spoke VNet connected to the Hub VNet (Design 5). This allows the Hub to handle VPN/Firewall duties, while this VNet focuses purely on the application.

1. Key Design Decisions (ADR)

ADR-01: Network Segmentation

Decision: Use separate Subnets for each tier.
Rationale: Allows applying granular NSG rules (e.g., "Only Web Subnet can talk to App Subnet").

ADR-02: Hub & Spoke Integration

Decision: Peer this VNet to the Hub.
Rationale: To allow admins to RDP/SSH into these private VMs via the Hub VPN, and to allow future egress filtering via Azure Firewall.

2. High-Level Design (HLD)

                                  (Admin Access)
                                        |
                                        v
+--------------+           +--------------------------+
|  Internet    |           |        HUB VNet          |
+------+-------+           | (Shared Services)        |
       | (HTTPS)           |                          |
       |                   |   [VPN Gateway]          |
       v                   |   [Azure Firewall]       |
+------+-------+           +------------+-------------+
|  Web Tier    |                        |
|  (Public LB) |<-----------------------+ (Peering)
+------+-------+
       |
       v
+------+-------+
|  App Tier    |
|  (Private)   |
+------+-------+
       |
       v
+------+-------+
|  Data Tier   |
|  (SQL)       |
+--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | VPN Gateway           |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-ntier-spoke (10.1.0.0/16)                            |
|                                                                       |
|   +---------------------------------------------------------------+   |
|   | Subnet: snet-web (10.1.1.0/24)                                |   |
|   | NSG: nsg-web (Allow Internet:80)                              |   |
|   | VM: vm-web-01                                                 |   |
|   +-----------|---------------------------------------------------+   |
|               |                                                       |
|               v (Allow: Source 10.1.1.0/24)                           |
|   +-----------|---------------------------------------------------+   |
|   | Subnet: snet-app (10.1.2.0/24)                                |   |
|   | NSG: nsg-app (Deny Internet)                                  |   |
|   | VM: vm-app-01                                                 |   |
|   +-----------|---------------------------------------------------+   |
|               |                                                       |
|               v (Allow: Source 10.1.2.0/24)                           |
|   +-----------|---------------------------------------------------+   |
|   | Subnet: snet-data (10.1.3.0/24)                               |   |
|   | NSG: nsg-data (Deny All Inbound)                              |   |
|   | SQL VM / PaaS                                                 |   |
|   +-----------|---------------------------------------------------+   |
+---------------|-------------------------------------------------------+
                |
                | (ASR Replication / SQL Geo-Replica)
                v
+-----------------------------------------------------------------------+
| SECONDARY REGION (West US) - DR Site                                  |
|                                                                       |
|   +-----------------------+       +-----------------------+           |
|   | ASR Vault             |       | SQL Replica           |           |
|   | (Holds VM Disks)      |       | (Async Commit)        |           |
|   +-----------------------+       +-----------------------+           |
|                                                                       |
|   *Note: VMs are NOT running. They are hydrated only during failover. |
+-----------------------------------------------------------------------+

4. Component Rationale

NSG Application Security Groups (ASGs): Can be used to group VMs (e.g., "WebServers") to make rules readable, instead of using IP ranges.

5. Strategy: High Availability (HA)

Tiers: Each tier should have multiple instances (AV Set or VMSS) behind a Load Balancer.

6. Strategy: Disaster Recovery (DR)

Implementation: Active-Passive.
Secondary Region: Replicate the entire stack to West US.

* ASR: Replicate Web and App VMs.

* SQL Geo-Replication: Replicate Data Tier.

* Traffic Manager: Route traffic to West US if East US fails.

7. Strategy: Backup

Data: SQL Backup is critical.
App/Web: VM Backup via Recovery Services Vault.

8. Strategy: Security

Defense in Depth:

* Web: Exposed to Internet (DMZ).

* App: No Internet access.

* Data: The "Crown Jewels". Strictly isolated.

9. Well-Architected Framework Analysis

Reliability: High. Decoupled layers.
Security: High. Strict network segregation.
Cost Optimization: Medium. More VMs = Higher cost.
Operational Excellence: Medium. More complex to troubleshoot connectivity.
Performance Efficiency: High. Dedicated compute for each function.

10. Detailed Traffic Flow

1. Web: User hits Web VM. Web VM processes UI.

2. App: Web VM calls App VM API. NSG checks: "Is source in snet-web?" -> Yes -> Allow.

3. Data: App VM queries SQL. NSG checks: "Is source in snet-app?" -> Yes -> Allow.

4. Block: If User tries to hit SQL directly -> NSG Deny.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource Group: Create new rg-ntier-spoke.

3. Name: vnet-ntier-spoke.

4. Region: East US.

5. IP Addresses: 10.1.0.0/16.

6. Subnets:

* snet-web: 10.1.1.0/24.

* snet-app: 10.1.2.0/24.

* snet-data: 10.1.3.0/24.

7. Create.

Phase 2: Peer to Hub (Design 5)

1. Go to vnet-ntier-spoke -> Peerings -> + Add.

2. This VNet: Name Spoke-to-Hub.

3. Remote VNet: Select vnet-hub (from Design 5).

4. Gateway Transit: Check Use the remote virtual network's gateway.

5. Remote VNet Settings: Name Hub-to-Spoke. Check Allow gateway transit.

6. Add.

Phase 3: Create NSGs (Security)

1. Search: "Network security groups" -> + Create.

2. Create three NSGs in rg-ntier-spoke:

* nsg-web

* nsg-app

* nsg-data

Phase 4: Configure NSG Rules

1. nsg-web:

* Inbound: Allow HTTP (80) from Any. Priority 100.

* Subnets: Associate with snet-web.

2. nsg-app:

* Inbound: Allow 8080 from 10.1.1.0/24 (Web Subnet). Priority 100.

* Subnets: Associate with snet-app.

3. nsg-data:

* Inbound: Allow 1433 (SQL) from 10.1.2.0/24 (App Subnet). Priority 100.

* Subnets: Associate with snet-data.

Phase 5: Deploy VMs

1. Web VM:

* Create VM vm-web-01.

* Subnet: snet-web.

* Public IP: Standard (for testing, or use LB).

2. App VM:

* Create VM vm-app-01.

* Subnet: snet-app.

* Public IP: None.

3. Data VM:

* Create VM vm-sql-01.

* Subnet: snet-data.

* Public IP: None.

Phase 6: Verify Access

1. SSH into vm-web-01 (via Public IP or Bastion).

2. Test App Tier: curl -v http://10.1.2.4:8080 (Replace with App VM IP).

* *Note: Ensure App VM has a listener on 8080 (e.g., python3 -m http.server 8080).*

3. Test Data Tier: nc -zv 10.1.3.4 1433 (Replace with SQL VM IP).

4. Test Isolation: From your laptop, try to ping vm-app-01 private IP. It should fail.